Cisco Falls Victim to Voice Phishing: What You Need to Know
Cisco recently announced that one of its representatives was the target of a voice phishing attack. This incident resulted in cybercriminals downloading user information from a third-party customer relationship management (CRM) system.
"Our investigation has determined that the exported data primarily consisted of basic account profile information of individuals who registered for a user account on Cisco.com," Cisco revealed.
The compromised data includes names, organization names, addresses, Cisco assigned user IDs, email addresses, phone numbers, and account-related metadata such as account creation dates.
However, Cisco reassured that the breach didn’t involve any exposure of customers’ confidential or proprietary information, password data, or other sensitive details. Investigators found no evidence that other CRM instances were affected or that Cisco's products and services were compromised.
Phishing attacks, particularly using voice calls, have gained popularity among ransomware groups and threat actors. These criminals use various communication forms like email, voice calls, push notifications, and text messages to breach defenses, which has previously affected companies like Microsoft, Okta, and Twitter.
One of the robust defenses against such attacks is implementing multi-factor authentication that aligns with the industry standard FIDO, developed globally by a consortium of organizations. FIDO's cryptographic keys are associated with the domain name being accessed, thereby preventing attacks from spoofed or lookalike phishing sites. This system requires the MFA credential to be in physical proximity to the logging-in device, thwarting attacks when the victim is in a different location than the attacker.
It's vital to note, though, that FIDO MFA is relatively new and not widely used without fallback authentication methods for account recovery. Organizations must have additional security practices to counteract this issue. The US Cybersecurity and Infrastructure Security Agency offers valuable guidance to defend against phishing attacks.
